NATO recently officially declared cyberspace a domain of warfare as the battle between nations shift to the so-called fifth domain. Lance Dubsky, Chief Security Strategist at Fireye spoke exclusively to ITWatchIT about security trends his company has noticed in their exhaustive research, the implications of IoT on security and the future of cyberattacks.
FireEye Released a Report Saying EMEA Countries Respond to Threats Slower Than Their Counterparts
We do a lot of research to find out the effectiveness of response to incidents, said Dubsky. For instance, Mandiant, which is the services part of FireEye, published the M-Trends 2016 report where we talk about the 2015 trends from breach investigations, including how long it takes to respond to breaches.
We do that analysis across different sectors – Asia Pacific, the Americas and EMEA [EMEA is an acronym for Europe, Middle East and Africa]. We also do a lot of research across business sectors. What we have noticed is that sometimes, the detection capabilities within the security operation centers are not catching breaches fast enough, and this is quite common across the globe.
Across all of the customers that we looked at, there was a 146-day lag, which is a lot of time from when a breach occurs. That is several months and is not a good trend, but it is still a dramatic improvement from previous years. In 2014, it was 205 days, and in 2013, it was 215 days, so security operation centers are improving – just not rapidly enough on how they detect breaches and compromises within their systems.
Why focus on EMEA if it’s a Global Phenomenon?
A lot of times, EMEA wants their own analysis, just like Asia Pacific wants theirs and the Americas wants theirs. We focus on a particular sector in order to discover the problems there, in order to eliminate them. Typically, when we discover those challenges, we highlight the focus areas the region needs to concentrate on.
In the MTRENDS report, what we are noticing is that credentials are being stolen, and endpoint devices are being used to mask the exfiltration of data. The MTRENDS report is a 50-page summary of analysis from our breach investigations.
We are also producing a report from our customers across the financial sector where we talk about the trends we’ve noticed and the security hygiene that needs to be put in place.
One of the trends we highlighted in the report is the importance of two-factor authentication, as painful as that might be, it is critical to security, and we’ve noticed that there are still a lot of organizations that are not implementing two-factor authentication.
FireEye acquired iSIGHT Partners January, which is basically a cyberintelligence organization where we have 200 cyberintelligence analysts who live on the Dark Net and monitor a lot of these hacker forums, listen to the chatter and monitor the card shops. When there is a major compromise and hackers are trying to turn that data around and monetize it, we have intelligence analysts in 20 different countries around the world monitoring the dark net for that and other intelligence gathering.
Why Do They Sell The Data So Cheaply?
Identities often sale for $20 in card shops on the Dark Net which seems inexpensive, most likely for the fastest way to monetize the identity. Depending on how much content is in that data, they could sell them for more. Basically, if you have that information, you could assume that person’s identity, open back accounts and so on. Also, there has been a lot of attention regarding ransomware, and the discussion has centered on the sometimes low ransom amount. Again, the hackers are just trying to get the fastest deal they can make.
It’s just like a smash and grab where you go into a jewelry store, break the glass and grab what you can, and try to turn that into cash as fast as you can.
Some Security Experts Recommend Data Siloing To Make Hackers Work More For Less
Cybercriminals today are becoming very skilled at identifying database characteristics, exactly where database administrators put information, how to search for card data – the level one, level two that’s on your credit card, and the security code that’s on the back of your card.
When a breach happens to a financial institution, the best cybercriminals know where to search for those databases and database administrators. If there is a database administrator identified, they will try to compromise that individual’s credentials, because that person will have a master access to all of the data.
What we have found is that cybercriminals are very crafty in how they are identifying the databases and where the data is located.
A lot of times, cybercriminals are opportunistic and will go for the easiest data first, but today’s cybercriminal is highly focused and educated on what their targets are. Just like you come to your job and I come to mine for specific duties, those particular hackers have targets.
The fact that they have trouble getting in one way doesn’t mean they will not try to exploit other vectors and try to push into that. If the value of the data is great, that would be enough motivation for them to go after it.
Easy Access To Hacking Tools Means You Don’t Have To Be An Expert
One of the greatest challenges is that the more ransomware that you see publicly where the victim paid up inspires a completely new generation of hackers. All of the publicity around those cases where they paid money to the hackers encourages up-and-coming hackers who have access to all of these hacking tools and forums where they can understand how to carry out the hacks.
For a low investment of about $10,000, and being able to purchase some particular form of malware through the forums, someone who is smart can basically take those tools all together, and try to attack a vulnerable victim.
On the solution side, every organization needs to be focused on high fidelity backups and recovery.
Cybercriminals Now Specialize
The other thing we are noticing is that cybercriminals are starting to specialize. You have some hackers that are great at exploiting and getting into a network. You have others that are great at moving laterally and collecting data, while others are good at exfiltrating that data.
Some are good at monetizing data in card forums and other places, so now you a sort of consortium of hackers that before, would typically work independently.
Now, they work together and there are actually certain cases where we see hackers penetrate a network or organization, and turn around to sell access to that particular victim.
Autonomous Vehicles Opens up a Whole New Field For Hackers
I’m not sure that we are ready for self-driving vehicles just yet. With the Internet of Things, the problem of security for connected devices already exists. Thermostats and other remote access devices within your own home fall under the same category.
The companies that produce wireless and remote access capability devices need to have a cybersecurity section with instructions that tell the device owner, this is the best way to secure the device so that it is not vulnerable.
NIST Recently Announced They Will Update Their Cybersecurity Framework
NIST is a great organization. When I was in the federal sector, I used a lot of their standards for evolving my own risk management and security programs, and I think it offers more agile capabilities. If you asked congressmen or senators to produce something, there are a lot of things that have to line up for that to really happen. An organization like NIST can take something that is of great concern and importance to the populace, and produce a standard that would help the consumers.
Do Consumers Really Know What They Are Getting Into When They Purchase Connected Devices?
I think it’s the new buyer beware, and you really have to be careful what you buy. Consumers have to educate themselves, manufacturers have to do their part in providing some of that education, and those bodies and a lot of companies could be part of producing best practices for a variety of devices.
When I was in the intelligence community, one of the things that was a challenge was that a number of the leadership wanted new technology, and it was my job to basically counsel and ask what are the business case for these Internet of Things devices that you are asking for?
On my side as the chief security officer, I was responsible for evaluating, educating, and make the risk decision on bringing in new technology. I always try to work with the organization to embrace the Internet of Things, especially if it’s a business-enabling technology that helps the organization do something better and more efficiently.
On the other hand, I had to produce the best practices for implementing that and making sure that that the technology is secure. There are advantages to IoT, even security advantages. The challenge is making sure that it is secure.
How Do You See the Whole Threat Landscape Evolving?
Cyberspace is a domain of war. Presidents Clinton, Bush and Obama have also called cyber a domain of war. What we have noticed within FireEye is that when countries don’t agree, that is typically the first choice. You’re not firing a missile or sending soldiers, but you’re attacking. For instance, in the Ukraine, in December, the power grid was taken out temporarily.
Vulnerable systems are a target if someone doesn’t agree with your politics, your country’s politics or a particular politician; your nation could be attacked in a variety of ways. Cyber has now become the first place from which an attack is launched. It could be against critical infrastructure, financial institutions, industrial control systems or , or other national assets – that’s typically what they go for first.
The challenge is that a lot of those critical infrastructure are older systems that have outdated protection. They don’t have the security monitoring that a lot of modern companies and organizations have, and they are also interconnected with a lot of different systems.
For instance, you find that the HVAC system may be connected with part of the power grid or power station. As such, if the HVAC system typically has remote access, then that is a really easy vector to go and attack.
This is the kind of target a capable threat actor could launch an attack against. It’s the same way that cybercriminals are trying to figure out the easiest way to grab money, nation State attackers look at the vulnerabilities of other countries, when they don’t agree.
Something like that happened to the country of Georgia where cyberattacks originating from Russia were launched. It’s really happening more and more.
FireEye is a unique company in that we have great capabilities; technology, intelligence and expertise. We often describe our capabilities as pre-breach capabilities, during-breach capabilities and after-breach capabilities. The iSIGHT Partners cyberintelligence aspect of the company focuses on tracking thousands of threat actors and surveilling the Dark Web where the hackers plan their attacks is basically a pre-breach capability.
Our product line, which is becoming more and more integrated and automated through security orchestration enables us to focus across a variety of different attack vectors, is basically the way a modern security operation center should be.
We have cloud, mobility, endpoint, network, file, email, forensics and other security capabilities – so that no matter what type of attack is going on, whether it be a phishing attack through email or the compromise of an endpoint – our product capabilities are now integrated so you can detect an attack, before they do damage.
Lance is a veteran in cybersecurity. His career spans twenty years in the air force and six years consulting in the public sector. He also worked eight years in the federal sector for two intelligence agencies as the CISO for the National Geospatial Intelligence Agency, and the deputy CISO for the National Reconnaissance Office.
Speaker: Lance Dubsky
Lance Dubsky (Twitter: @cybercondor) is Chief Security Strategist, at FireEye and has over two decades of experience planning, building and implementing large information security programs. Before joining FireEye, he served as the Chief Information Security Officer at two U.S. Intelligence Agencies where he led global security programs. Dubsky led transformations for risk management, security engineering, space security assurance, and security operations. Earlier in his career he worked as an independent consultant advising numerous clients in the public sector at strategic and tactical levels. Dubsky is a veteran of the U.S. Air Force.
FireEye provides real-time threat protection to enterprises and governments worldwide against the next generation of cyber attacks. The FireEye Threat Prevention Platform provides real-time, dynamic threat protection without the use of signatures to protect an organization across the primary threat vectors and across the different stages of an attack life cycle. The core of the FireEye platform is a virtual execution engine, complemented by dynamic threat intelligence, to identify and block cyber attacks in real time. FireEye has over 4,000 customers across 67 countries, including more than 650 of the Forbes Global 2000.